Media release

New South Wales’ acting Privacy Commissioner John McAteer has voiced concerns about the security of personal information held by organisations, following media reports on a data breach involving First State Super.

In June this year Mr McAteer reported on a data breach where the University of Sydney failed to protect students’ personal data during an information leak via its website.

“At the time, I warned organisations to be vigilant in checking the security of their client holdings, and to test for any flaws or patches required to prevent client details being accessed through their websites,” he said.

“That report advised that large corporations and agencies have available to them dedicated IT and information resources. This entitles the community to expect from them higher rates of awareness of information security risks and maintaining vigilant breach prevention programs.”

Mr McAteer said information released in the media yesterday concerning an alleged data breach by First State Super appeared to have similar parallels to the University of Sydney matter.

First State Super’s privacy obligations are jointly oversighted by the Australian Privacy Commissioner, concerning personal information under the Privacy Act 1988 (Cth), and the NSW Privacy Commissioner, concerning personal health information under the Health Records and Information Privacy Act 2002 (NSW).

“Without confirmed details of the First State Super data systems, I cannot comment on the exact incidents,” Mr McAteer said.

“However from the allegations as outlined in the media reports, previous investigations have established that these types of errors can be reasonably detected with proper testing.

While noting the legal issues apparently raised with the member who reported the breach, Mr McAteer said the Trustee Corporation (FSS) was similarly bound to comply with laws including in this instance National Privacy Principle 4, and NSW Health Privacy Principle 5.

“In addition, the reports of First State Super’s general response to being alerted to the breach highlight from a practical perspective the lack of any policy concerning ‘breach notifications’ in the First State Super Privacy Policy,” he said.

“This reinforces the continued need to examine the legislating of mandatory breach notifications for organisations.”